test(secure_boot): Add tests for ECDSA-based secure boot scheme

tools/test_apps/security/.build-test-rules.yml

@@ -2,7 +2,10 @@
 
 tools/test_apps/security/secure_boot:
   disable:
-    - if: IDF_ENV_FPGA != 1 and CONFIG_NAME != "qemu"
+    - if: CONFIG_NAME == "ecdsa_p192"
+      reason: Building the application for secure boot using ECDSA P192 scheme can be skipped in the CI.
+  disable_test:
+    - if: CONFIG_NAME != "qemu"
       reason: the test can only run on an FPGA as efuses need to be reset during the test.
   disable_test:
     - if: IDF_TARGET in ["esp32", "esp32c2", "esp32c6", "esp32h2", "esp32s2", "esp32c61", "esp32p4", "esp32s3"]

tools/test_apps/security/secure_boot/README.md

@@ -9,17 +9,6 @@ The example checks if the secure boot feature is enabled/disabled and if enabled
 
 ### Hardware Required
 
-Any of the following ESP module:
-* ESP32 (supports Secure Boot V1)
-* ESP32-ECO3 (supports  Secure Boot V2 & Secure Boot V1)
-* ESP32S2 (supports Secure Boot V2)
-* ESP32C3-ECO3 (supports Secure Boot V2)
-* ESP32S3 (supports Secure Boot V2)
-* ESP32P4 (supports Secure Boot V2)
-* ESP32C5 (supports Secure Boot V2)
-* ESP32C61 (supports Secure Boot V2)
-* ESP32H21 (supports Secure Boot V2)
-
 It is recommended to use Secure Boot V2 from ESP32-ECO3 onwards.
 
 ### Configure the project
@@ -73,7 +62,7 @@ Purpose of the test case (`pytest_secure_boot.py`) is to test the secure boot im
 
 ### Hardware required
 
-* FPGA setup with ESP32C3/ESP32S3/ESP32P4/ESP32C5/ESP32C61/ESP32H21 image
+* FPGA setup with the target image
 
 * COM port for programming and export it as ESPPORT
     e.g `export ESPPORT=/dev/ttyUSB0`
@@ -86,7 +75,7 @@ Purpose of the test case (`pytest_secure_boot.py`) is to test the secure boot im
 ```
 export IDF_ENV_FPGA=1
 
-idf.py set-target esp32c3   #(or esp32s3 / esp32p4 / esp32c5 / esp32c61 / esp32h21)
+idf.py set-target {target}
 
 idf.py menuconfig
 ```
@@ -95,7 +84,7 @@ Under `Security features`
 
 - Enable the `Enable hardware Secure Boot`
 
-- Set the secure boot signing key ("test_rsa_3072_key.pem")
+- Set the secure boot signing key
 
 - Set UART ROM download mode to ENABLED (Required for the script to read the EFUSE)
 
@@ -116,5 +105,5 @@ Under `Security features`
 - Run the example test
 
     ```
-    pytest --target esp32c3
+    pytest --target {target}
     ```

tools/test_apps/security/secure_boot/pytest_secure_boot.py

@@ -1,5 +1,6 @@
 # SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
 # SPDX-License-Identifier: Unlicense OR CC0-1.0
+import itertools
 import os
 import struct
 import zlib
@@ -19,13 +20,63 @@ from pytest_embedded_idf.utils import idf_parametrize
 
 CORRUPT_ALL_BLOCKS = 0xFF
 
+SIGNATURE_TYPE_RSA = 0
+SIGNATURE_TYPE_RSA_3072 = 1
 
-def corrupt_signature(signed_bootloader, seed=0, corrupt_sig=True, corrupt_crc=False, corrupt_block=CORRUPT_ALL_BLOCKS):
+SIGNATURE_TYPE_ECDSA = 10
-    # type: (bytes, int, bool, bool, int) -> bytes
+SIGNATURE_TYPE_ECDSA_P192 = 11
+SIGNATURE_TYPE_ECDSA_P256 = 12
+SIGNATURE_TYPE_ECDSA_P384 = 13
+
+SIGNATURE_TYPE_RSA_3072_SIZE = 384
+SIGNATURE_TYPE_ECDSA_P192_SIZE = 64
+SIGNATURE_TYPE_ECDSA_P256_SIZE = 64
+SIGNATURE_TYPE_ECDSA_P384_SIZE = 96
+
+EFUSE_KEY_BLOCKS = 6
+
+SECURE_BOOT_RSA_TARGETS = [
+    'esp32',
+    'esp32c3',
+    'esp32c5',
+    'esp32c6',
+    'esp32c61',
+    'esp32h2',
+    'esp32h21',
+    'esp32s2',
+    'esp32s3',
+    'esp32p4',
+]
+SECURE_BOOT_ECDSA_TARGETS = ['esp32c2', 'esp32c5', 'esp32c6', 'esp32c61', 'esp32h2', 'esp32h21', 'esp32p4']
+SECURE_BOOT_ECDSA_P384_TARGETS = ['esp32c5']
+
+CONFIGS_SECURE_BOOT_ECDSA = list(
+    itertools.chain(
+        itertools.product(['ecdsa_p192', 'ecdsa_p256'], SECURE_BOOT_ECDSA_TARGETS),
+        itertools.product(['ecdsa_p384'], SECURE_BOOT_ECDSA_P384_TARGETS),
+    )
+)
+
+CONFIGS_SECURE_BOOT_RSA = list(
+    itertools.chain(
+        itertools.product(['rsa_3072'], SECURE_BOOT_RSA_TARGETS),
+    )
+)
+
+
+def corrupt_signature(
+    signed_bootloader,
+    seed=0,
+    corrupt_sig=True,
+    corrupt_crc=False,
+    corrupt_block=CORRUPT_ALL_BLOCKS,
+    signature_type=SIGNATURE_TYPE_RSA_3072,
+):
+    # type: (bytes, int, bool, bool, int, int) -> bytes
     image = signed_bootloader[:-4096]
     signature = signed_bootloader[-4096:]
     sig_blocks = (signature[0:1216], signature[1216:2432], signature[2432:3648])
-    new_blocks = tuple(corrupt_sig_block(s, seed, corrupt_sig, corrupt_crc) for s in sig_blocks)
+    new_blocks = tuple(corrupt_sig_block(s, seed, corrupt_sig, corrupt_crc, signature_type) for s in sig_blocks)
 
     # if corrupt_block is CORRUPT_ALL_BLOCKS, corrupt all blocks
     # otherwise, only corrupt the one with that index set
@@ -36,15 +87,26 @@ def corrupt_signature(signed_bootloader, seed=0, corrupt_sig=True, corrupt_crc=F
     return image + b''.join(corr_sig_blocks) + signature[3648:]
 
 
-def corrupt_sig_block(sig_block, seed=0, corrupt_sig=True, corrupt_crc=False):
+def corrupt_sig_block(sig_block, seed=0, corrupt_sig=True, corrupt_crc=False, signature_type=SIGNATURE_TYPE_RSA_3072):
-    # type: (bytes, int, bool, bool) -> bytes
+    # type: (bytes, int, bool, bool, int) -> bytes
     assert len(sig_block) == 1216
     magic = sig_block[0]
     assert magic in [0xE7, 0xFF]
     if magic != 0xE7:
         return sig_block  # not valid
-    data = sig_block[:812]
+
-    new_sig = sig = sig_block[812:1196]
+    if signature_type == SIGNATURE_TYPE_RSA_3072:
+        data = sig_block[:812]
+        new_sig = sig = sig_block[812:1196]
+    elif signature_type in [SIGNATURE_TYPE_ECDSA_P192, SIGNATURE_TYPE_ECDSA_P256]:
+        data = sig_block[:101]
+        new_sig = sig = sig_block[101:165]
+    elif signature_type == SIGNATURE_TYPE_ECDSA_P384:
+        data = sig_block[:149]
+        new_sig = sig = sig_block[149:245]
+    else:
+        raise ValueError('Invalid signature type: {}'.format(signature_type))
+
     crc = sig_block[1196:1200]
     padding = sig_block[1200:1216]
 
@@ -80,9 +142,6 @@ def dut_start_secure_app(dut: Dut) -> None:
     dut.serial.app_flash(os.path.join(dut.app.binary_path, 'secure_boot.bin'))
 
 
-# Test secure boot flow.
-# Correctly signed bootloader + correctly signed app should work
-@idf_parametrize('target', ['esp32c3', 'esp32c5', 'esp32c61', 'esp32s3', 'esp32p4'], indirect=['target'])
 def test_examples_security_secure_boot(dut: Dut) -> None:
     dut_start_secure_app(dut)
     dut.expect('Secure Boot is enabled', timeout=10)
@@ -90,6 +149,18 @@ def test_examples_security_secure_boot(dut: Dut) -> None:
     dut.burn_wafer_version()
 
 
+# Test secure boot flow.
+# Correctly signed bootloader + correctly signed app should work
+@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target'])
+def test_examples_security_secure_boot_rsa(dut: Dut) -> None:
+    test_examples_security_secure_boot(dut)
+
+
+@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target'])
+def test_examples_security_secure_boot_ecdsa(dut: Dut) -> None:
+    test_examples_security_secure_boot(dut)
+
+
 # Test secure boot flow.
 # Correctly signed bootloader + correctly signed app should work
 @pytest.mark.host_test
@@ -106,6 +177,7 @@ def test_examples_security_secure_boot(dut: Dut) -> None:
 )
 @pytest.mark.parametrize('target', ['esp32c3'], indirect=True)
 @pytest.mark.parametrize('config', ['qemu'], indirect=True)
+@idf_parametrize('target', ['esp32c3'], indirect=['target'])
 def test_examples_security_secure_boot_qemu(dut: Dut) -> None:
     try:
         dut.expect('Secure Boot is enabled', timeout=10)
@@ -121,50 +193,92 @@ def test_examples_security_secure_boot_qemu(dut: Dut) -> None:
             efuse_file.write(bytearray.fromhex(esp32c3_efuses))
 
 
+def test_examples_security_secure_boot_key_combo(dut: Dut) -> None:
+    dut_start_secure_app(dut)
+    dut.expect('Secure Boot is enabled', timeout=10)
+    efuse_secure_boot_key_digests = dut.app.sdkconfig.get('SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS')
+    secure_boot_key = dut.app.sdkconfig.get('SECURE_BOOT_SIGNING_KEY')
+    for index in range(efuse_secure_boot_key_digests):
+        for block in range(EFUSE_KEY_BLOCKS):
+            dut.serial.reset_efuses()
+            dut.burn_wafer_version()
+            dut.secure_boot_burn_en_bit()
+            dut.secure_boot_burn_digest(secure_boot_key, index, block)
+            dut.expect('Secure Boot is enabled', timeout=10)
+    dut.serial.reset_efuses()
+    dut.burn_wafer_version()
+
+
 # Test efuse key index and key block combination.
 # Any key index can be written to any key block and should work
 # Increasing the test timeout to 1200s as the test runs for 18 iterations
 # and thus the default 600s timeout is not sufficient
 @pytest.mark.timeout(1200)
-@idf_parametrize('target', ['esp32c3', 'esp32c5', 'esp32c61', 'esp32s3', 'esp32p4'], indirect=['target'])
+@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target'])
-def test_examples_security_secure_boot_key_combo(dut: Dut) -> None:
+def test_examples_security_secure_boot_key_combo_rsa(dut: Dut) -> None:
+    test_examples_security_secure_boot_key_combo(dut)
+
+
+# Test efuse key index and key block combination.
+# Any key index can be written to any key block and should work
+# Increasing the test timeout to 1200s as the test runs for 18 iterations
+# and thus the default 600s timeout is not sufficient
+@pytest.mark.timeout(1200)
+@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target'])
+def test_examples_security_secure_boot_key_combo_ecdsa(dut: Dut) -> None:
+    test_examples_security_secure_boot_key_combo(dut)
+
+
+def test_examples_security_secure_boot_key_revoke(dut: Dut) -> None:
     dut_start_secure_app(dut)
     dut.expect('Secure Boot is enabled', timeout=10)
-    for index in range(3):
+    efuse_secure_boot_key_digests = dut.app.sdkconfig.get('SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS')
-        for block in range(6):
+    secure_boot_key = dut.app.sdkconfig.get('SECURE_BOOT_SIGNING_KEY')
-            dut.serial.reset_efuses()
+
-            dut.burn_wafer_version()
+    for index in range(efuse_secure_boot_key_digests):
-            dut.secure_boot_burn_en_bit()
+        dut.serial.reset_efuses()
-            dut.secure_boot_burn_digest('test_rsa_3072_key.pem', index, block)
+        dut.burn_wafer_version()
-            dut.expect('Secure Boot is enabled', timeout=10)
+        dut.secure_boot_burn_en_bit()
+        dut.serial.burn_efuse('SECURE_BOOT_KEY_REVOKE%d' % index, 1)
+        dut.secure_boot_burn_digest(secure_boot_key, index, 0)
+        dut.expect('secure boot verification failed', timeout=5)
     dut.serial.reset_efuses()
     dut.burn_wafer_version()
 
 
 # Test secure boot key revoke.
 # If a key is revoked, bootloader signed with that key should fail verification
-@idf_parametrize('target', ['esp32c3', 'esp32c5', 'esp32c61', 'esp32s3', 'esp32p4'], indirect=['target'])
+@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target'])
-def test_examples_security_secure_boot_key_revoke(dut: Dut) -> None:
+def test_examples_security_secure_boot_key_revoke_rsa(dut: Dut) -> None:
-    dut_start_secure_app(dut)
+    test_examples_security_secure_boot_key_revoke(dut)
-    dut.expect('Secure Boot is enabled', timeout=10)
-    for index in range(3):
-        dut.serial.reset_efuses()
-        dut.burn_wafer_version()
-        dut.secure_boot_burn_en_bit()
-        dut.serial.burn_efuse('SECURE_BOOT_KEY_REVOKE%d' % index, 1)
-        dut.secure_boot_burn_digest('test_rsa_3072_key.pem', index, 0)
-        dut.expect('secure boot verification failed', timeout=5)
-    dut.serial.reset_efuses()
-    dut.burn_wafer_version()
 
 
-# Test bootloader signature corruption.
+# Test secure boot key revoke.
-# Corrupt one byte at a time of bootloader signature and test that the verification fails
+# If a key is revoked, bootloader signed with that key should fail verification
-@pytest.mark.timeout(18000)
+@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target'])
-# Increasing the test timeout to 18000s as the test runs for 384 iterations
+def test_examples_security_secure_boot_key_revoke_ecdsa(dut: Dut) -> None:
-# and thus the default 600s timeout is not sufficient
+    test_examples_security_secure_boot_key_revoke(dut)
-@idf_parametrize('target', ['esp32c3', 'esp32c5', 'esp32c61', 'esp32s3', 'esp32p4'], indirect=['target'])
+
-def test_examples_security_secure_boot_corrupt_bl_sig(dut: Dut) -> None:
+
+def get_signature_type_size(dut: Dut, signature_type: int) -> int:
+    signature_type_size = 0
+    if signature_type == SIGNATURE_TYPE_RSA:
+        signature_type_size = SIGNATURE_TYPE_RSA_3072_SIZE
+    elif signature_type == SIGNATURE_TYPE_ECDSA:
+        if dut.app.sdkconfig.get('CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_192_BITS'):
+            signature_type_size = SIGNATURE_TYPE_ECDSA_P192_SIZE
+        elif dut.app.sdkconfig.get('CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_256_BITS'):
+            signature_type_size = SIGNATURE_TYPE_ECDSA_P256_SIZE
+        elif dut.app.sdkconfig.get('CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS'):
+            signature_type_size = SIGNATURE_TYPE_ECDSA_P384_SIZE
+        else:
+            raise ValueError('Invalid signature type: {}'.format(signature_type))
+    else:
+        raise ValueError('Invalid signature type: {}'.format(signature_type))
+    return signature_type_size
+
+
+def test_examples_security_secure_boot_corrupt_bl_sig(dut: Dut, signature_type: int) -> None:
     dut_start_secure_app(dut)
     dut.expect('Secure Boot is enabled', timeout=10)
 
@@ -172,8 +286,10 @@ def test_examples_security_secure_boot_corrupt_bl_sig(dut: Dut) -> None:
     with open(bootloader_bin, 'rb') as f:
         signed_bl = f.read()
 
-    seeds = range(0, 384)
+    signature_type_size = get_signature_type_size(dut, signature_type)
+    seeds = range(0, signature_type_size)
     max_seed = max(seeds)
+    secure_boot_key = dut.app.sdkconfig.get('SECURE_BOOT_SIGNING_KEY')
 
     for seed in seeds:
         print('Case %d / %d' % (seed, max_seed))
@@ -184,7 +300,7 @@ def test_examples_security_secure_boot_corrupt_bl_sig(dut: Dut) -> None:
         dut.burn_wafer_version()
         dut.serial.bootloader_flash('corrupt_bl.bin')
         dut.secure_boot_burn_en_bit()
-        dut.secure_boot_burn_digest('test_rsa_3072_key.pem', 0, 0)
+        dut.secure_boot_burn_digest(secure_boot_key, 0, 0)
         # Though the order of flashing and burning efuse would not effect the test,
         # if we flash bootlader before burning en bit, even with no_stub = True
         # it still calls run_stub() and throws an error as it fails to start stub.
@@ -193,13 +309,27 @@ def test_examples_security_secure_boot_corrupt_bl_sig(dut: Dut) -> None:
     dut.burn_wafer_version()
 
 
-# Test app signature corruption.
+# Test bootloader signature corruption.
-# Corrupt app signature, one byte at a time, and test that the verification fails
+# Corrupt one byte at a time of bootloader signature and test that the verification fails
 @pytest.mark.timeout(18000)
-# Increasing the test timeout to 18000s as the test runs for 385 iterations
+# Increasing the test timeout to 18000s as the test runs for 384 iterations
 # and thus the default 600s timeout is not sufficient
-@idf_parametrize('target', ['esp32c3', 'esp32c5', 'esp32c61', 'esp32s3', 'esp32p4'], indirect=['target'])
+@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target'])
-def test_examples_security_secure_boot_corrupt_app_sig(dut: Dut) -> None:
+def test_examples_security_secure_boot_corrupt_bl_sig_rsa(dut: Dut) -> None:
+    test_examples_security_secure_boot_corrupt_bl_sig(dut, signature_type=SIGNATURE_TYPE_RSA)
+
+
+# Test bootloader signature corruption.
+# Corrupt one byte at a time of bootloader signature and test that the verification fails
+@pytest.mark.timeout(18000)
+# Increasing the test timeout to 18000s as the test runs for 384 iterations
+# and thus the default 600s timeout is not sufficient
+@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target'])
+def test_examples_security_secure_boot_corrupt_bl_sig_ecdsa(dut: Dut) -> None:
+    test_examples_security_secure_boot_corrupt_bl_sig(dut, signature_type=SIGNATURE_TYPE_ECDSA)
+
+
+def test_examples_security_secure_boot_corrupt_app_sig(dut: Dut, signature_type: int) -> None:
     dut_start_secure_app(dut)
     dut.expect('Secure Boot is enabled', timeout=10)
 
@@ -207,7 +337,8 @@ def test_examples_security_secure_boot_corrupt_app_sig(dut: Dut) -> None:
     with open(app_bin, 'rb') as f:
         signed_app = f.read()
 
-    seeds = range(0, 384)
+    signature_size = get_signature_type_size(dut, signature_type)
+    seeds = range(0, signature_size)
     max_seed = max(seeds)
 
     for seed in seeds:
@@ -245,3 +376,23 @@ def test_examples_security_secure_boot_corrupt_app_sig(dut: Dut) -> None:
     )
     dut.expect('Secure boot signature verification failed', timeout=2)
     dut.expect('No bootable app partitions in the partition table', timeout=2)
+
+
+# Test app signature corruption.
+# Corrupt app signature, one byte at a time, and test that the verification fails
+@pytest.mark.timeout(18000)
+# Increasing the test timeout to 18000s as the test runs for 385 iterations
+# and thus the default 600s timeout is not sufficient
+@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target'])
+def test_examples_security_secure_boot_corrupt_app_sig_rsa(dut: Dut) -> None:
+    test_examples_security_secure_boot_corrupt_app_sig(dut, signature_type=SIGNATURE_TYPE_RSA)
+
+
+# Test app signature corruption.
+# Corrupt app signature, one byte at a time, and test that the verification fails
+@pytest.mark.timeout(18000)
+# Increasing the test timeout to 18000s as the test runs for 385 iterations
+# and thus the default 600s timeout is not sufficient
+@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target'])
+def test_examples_security_secure_boot_corrupt_app_sig_ecdsa(dut: Dut) -> None:
+    test_examples_security_secure_boot_corrupt_app_sig(dut, signature_type=SIGNATURE_TYPE_ECDSA)

tools/test_apps/security/secure_boot/sdkconfig.ci.03

@@ -1,4 +0,0 @@
-# ESP32-S2 Secure Boot
-CONFIG_IDF_TARGET="esp32s2"
-CONFIG_SECURE_BOOT=y
-CONFIG_SECURE_BOOT_SIGNING_KEY="test_rsa_3072_key.pem"

tools/test_apps/security/secure_boot/sdkconfig.ci.04

@@ -1,5 +1,4 @@
-# ESP32-S2 Secure Boot & Flash Encryption (Release mode)
+# Secure Boot & Flash Encryption (Release mode)
-CONFIG_IDF_TARGET="esp32s2"
 CONFIG_SECURE_BOOT=y
 CONFIG_SECURE_BOOT_SIGNING_KEY="test_rsa_3072_key.pem"
 CONFIG_SECURE_FLASH_ENC_ENABLED=y

tools/test_apps/security/secure_boot/sdkconfig.ci.ecdsa_p192

@@ -0,0 +1,9 @@
+
+CONFIG_PARTITION_TABLE_OFFSET=0xD000
+
+CONFIG_SECURE_BOOT=y
+CONFIG_SECURE_BOOT_V2_ENABLED=y
+CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME=y
+CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_256_BITS=y
+CONFIG_SECURE_BOOT_SIGNING_KEY="test_ecdsa_p192_key.pem"
+CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y

tools/test_apps/security/secure_boot/sdkconfig.ci.ecdsa_p256

@@ -0,0 +1,9 @@
+
+CONFIG_PARTITION_TABLE_OFFSET=0xD000
+
+CONFIG_SECURE_BOOT=y
+CONFIG_SECURE_BOOT_V2_ENABLED=y
+CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME=y
+CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_256_BITS=y
+CONFIG_SECURE_BOOT_SIGNING_KEY="test_ecdsa_p256_key.pem"
+CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y

tools/test_apps/security/secure_boot/sdkconfig.ci.ecdsa_p384

@@ -0,0 +1,9 @@
+
+CONFIG_PARTITION_TABLE_OFFSET=0xD000
+
+CONFIG_SECURE_BOOT=y
+CONFIG_SECURE_BOOT_V2_ENABLED=y
+CONFIG_SECURE_SIGNED_APPS_ECDSA_V2_SCHEME=y
+CONFIG_SECURE_BOOT_ECDSA_KEY_LEN_384_BITS=y
+CONFIG_SECURE_BOOT_SIGNING_KEY="test_ecdsa_p384_key.pem"
+CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y

tools/test_apps/security/secure_boot/sdkconfig.ci.rsa_3072

@@ -0,0 +1,8 @@
+
+CONFIG_PARTITION_TABLE_OFFSET=0xD000
+
+CONFIG_SECURE_BOOT=y
+CONFIG_SECURE_BOOT_V2_ENABLED=y
+CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y
+CONFIG_SECURE_BOOT_SIGNING_KEY="test_rsa_3072_key.pem"
+CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y

tools/test_apps/security/secure_boot/test_ecdsa_p192_key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MF8CAQEEGCqtXL4T69v9OhhrHcI0kQNC0NFkmOQ6DqAKBggqhkjOPQMBAaE0AzIA
+BDvdwlHoSE5QQ6JBU0Ovy2LjEEuoXVwpPebH3Z87B1ByYLWPZp8XhXWl7Vj7wFK7
+dw==
+-----END EC PRIVATE KEY-----

tools/test_apps/security/secure_boot/test_ecdsa_p256_key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIJLB2fFAa7istjO0AWfEbvJM8Kn0T+R38GXalwX3oP6GoAoGCCqGSM49
+AwEHoUQDQgAEy2N3ohJ1hIjU2AHNyVKGafSrmGhizG1/xOTOtASbJpiVI3ccUVXI
+zrDSnrTwg331qOAT7WWkY1p4ixZvP6HWzA==
+-----END EC PRIVATE KEY-----

tools/test_apps/security/secure_boot/test_ecdsa_p384_key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDC/5UVo7tqYLt17BnN85NRhMRakLUYNrxCEb0nA5bN5WzpILMqCFkjzWWyC6FkeK02g
+BwYFK4EEACKhZANiAAQPbOGJCBJtR6oB29nt6BP+JeMc4+KUkJbusFDT26arFZwcsDEZ/m+GatAl
+GmlOuNGa4F4fJDjSsuz0ejKK4LQ1DliDopGmieIUWPCEScVZNu9DX2PuGC8NIyMU9Ry4Poc=
+-----END EC PRIVATE KEY-----